Internet-Draft TLS Next Protocol Negotiation May 2012
The "extension_data" field of a "next_protocol_negotiation" extension
in a "ServerHello" contains an optional list of protocols advertised
by the server. Protocols are named by opaque, non-empty byte strings
and the list of protocols is serialized as a concatenation of 8-bit,
length prefixed byte strings. Implementations MUST ensure that the
empty string is not included and that no byte strings are truncated.
A new handshake message type ("encrypted_extensions(TBD)") is
defined. If the server included a "next_protocol_negotiation"
extension in its "ServerHello" message, the client MUST send a
"EncryptedExtensions" message after its "ChangeCipherSpec" and before
its "Finished" message.
enum {
encrypted_extensions(TBD), (65535)
} HandshakeType;
Therefore a full handshake with "EncryptedExtensions" has the
following flow (contrast with section 7.3 of RFC 5246 [RFC5246]):
Client Server
ClientHello (NPN extension) -------->
ServerHello
(NPN extension &
list of protocols)
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
EncryptedExtensions
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
An abbreviated handshake with "EncryptedExtensions" has the following
flow:
Langley Expires October 31, 2012 [Page 3]

Internet-Draft TLS Next Protocol Negotiation May 2012
Client Server
ClientHello (NPN extension) -------->
ServerHello
(NPN extension &
list of protocols)
[ChangeCipherSpec]
<-------- Finished
[ChangeCipherSpec]
EncryptedExtensions
Finished -------->
Application Data <-------> Application Data
The "EncryptedExtensions" message contains a series of "Extension"
structures (see section 7.4.1.4 of RFC 5246 [RFC5246]
If the server included a "next_protocol_negotiation" extension in its
"ServerHello" message, the client MUST include an "Extension" with
"extension_type" equal to "next_protocol_negotiation(TBD)". The
"extension_data" of which has the following format:
struct {
opaque selected_protocol<0..255>;
opaque padding<0..255>;
} NextProtocolNegotiationEncryptedExtension;
The contents of "selected_protocol" are an opaque protocol string,
but need not have been advertised by the server. The length of
"padding" SHOULD be 32 - ((len(selected_protocol) + 2) % 32). Note
that len(selected_protocol) does not include its length prefix.
Unlike many other TLS extensions, this extension does not establish
properties of the session, only of the connection. When session
resumption or session tickets [RFC5077] are used, the previous
contents of this extension are irrelevant and only the values in the
new handshake messages are considered.
For the same reasons, after a handshake has been performed for a
given connection, renegotiations on the same connection MUST NOT
include the "next_protocol_negotiation" extension.
4. Protocol selection
It's expected that a client will have a list of protocols that it
supports, in preference order, and will only select a protocol if the
server supports it. In that case, the client SHOULD select the first
protocol advertised by the server that it also supports. In the
event that the client doesn't support any of server's protocols, or
the server doesn't advertise any, it SHOULD select the first protocol
that it supports.
Langley Expires October 31, 2012 [Page 4]

Internet-Draft TLS Next Protocol Negotiation May 2012
There may be cases where the client knows, via other means, that a
server supports an unadvertised protocol. In these cases the client
can simply select that protocol.
5. Design discussion
NPN is an outlier from TLS in several respects: firstly that it
introduces a handshake message between the "ChangeCipherSpec" and
"Finished" message, that the handshake message is padded, and that
the negotiation isn't done purely with the hello messages. All these
aspects of the protocol are intended to prevent middle-ware
discrimination based on the negotiated protocol and follow the
general principle that anything that can be encrypted, should be
encrypted. The server's list of advertised protocols is in the clear
as a compromise between performance and robustness.
6. Security considerations
The server's list of supported protocols is still advertised in the
clear with this extension. This may be undesirable for certain
protocols (such as Tor [tor]) where one could imagine that hostile
networks would terminate any TLS connection with a server that
advertised such a capability. In this case, clients may wish to
opportunistically select a protocol that wasn't advertised by the
server. However, the workings of such a scheme are outside the scope
of this document.
7. IANA Considerations
This document requires IANA to update its registry of TLS extensions
to assign an entry referred to here as "next_protocol_negotiation".
This document also requires IANA to update its registry of TLS
handshake types to assign an entry referred to here as
"encrypted_extensions".
This document also requires IANA to create a registry of TLS Next
Protocol Negotiation protocol strings on a first come, first served
basis, initially containing the following entries:
o "http/1.1": HTTP/1.1 [RFC2616]
o "spdy/1": (obsolete) SPDY version 1
o "spdy/2": SPDY version 2
o "spdy/3": SPDY version 3
8. Acknowledgments
This document benefited specifically from discussions with Wan-Teh
Chang and Nagendra Modadugu.
Langley Expires October 31, 2012 [Page 5]